Active exploitation of Adobe ColdFusion vulnerabilities detected

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Multiple Adobe ColdFusion vulnerabilities have been detected as being actively exploited in the wild. These include an access control bypass flaw, tracked as CVE-2023-29298 (CVSSv3 score: 7.5), as well as an insecure deserialization flaw, tracked as CVE-2023-29300 (CVSSv3 score: 9.8). At the time of writing, these vulnerabilities are being actively exploited in the wild.

Impact

• Successful exploitation of CVE-2023-29298 could allow a threat actor to access the administration CFM and CFC endpoints, thus bypassing the built-in security features.
• Successful exploitation of CVE-2023-29300 could allow a threat actor to execute arbitrary code on affected systems.

Successful exploitation could result in the compromise in the integrity of data in each instance.

Vulnerability Detection

Adobe has released a security update with regards to the vulnerability. As such, previous versions are vulnerable to potential exploitation.

Affected Products

CVE-2023-29298:

• Adobe ColdFusion version 2018u16 (and earlier)
• Adobe ColdFusion version 2021u6 (and earlier)
• Adobe ColdFusion version 2023.0.0.330468 (and earlier)

CVE-2023-29300:

• Adobe ColdFusion version 2018u16 (and earlier)
• Adobe ColdFusion version 2021u6 (and earlier)
• Adobe ColdFusion version 2023.0.0.330468 (and earlier)

Containment, Mitigations & Remediations

At the time of writing, no mitigation strategies exist for CVE-2023029298. However, due to the fact that this vulnerability is currently being exploited in conjunction with CVE-2023-38203, it is strongly recommended that users of the affected product versions apply the security patch for CVE-2023-38203 as a remediation strategy for both security flaws.

Indicators of Compromise

IP Addresses:

• 62.233.50[.]13
• 5.182.36[.]4
• 195.58.48[.]155

Domains:

• oastify[.]com
• ckeditr[.]cfm

Threat Landscape

Adobe occupies a significant portion of the application-development market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, application-development products can emerge as a prime target. Due to the fact that Adobe products have become an integral aspect of personal and business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

CVE-2023-29298:

Common Weakness Enumeration (CWE)

CWE-284 – Improper Access Control

CVE-2023-29300:

Common Weakness Enumeration (CWE)

CWE-502 – Deserialization of Untrusted Data

Further Information

Rapid7 Advisory